tags:

views:

63

answers:

1
+1  Q: 

Safely rendering user provided django templates

So as per a previous question of mine I've decided to start a website which allows django designers to upload templates and css files. I'll provide a well defined set of context inputs and objects and then render the templates that the users provided. This will hopefully give newbies a large set of examples to work from and designers a good way to stretch their wings.

I need a way to determine whether a template is "safe" to render. Hopefully making sure there are no malicious javascript, crazy path requests that will destroy my webserver, etc. Now I know that there's no guaranteed way to sanitize these but I'd like something better than just "trust my users".

Any suggestions would be welcome.

+3  A: 

I know this is not exactly what you are hoping for, but the safest option is to allow the end users to save a copy of their template, render the html & css with all tags escaped. You can allow them to upload a picture of what the finished theme would look like.

Your second option is to allow them to upload anything but not display it on the website until you have audited what they have submitted.

wlashell  2010-01-01 02:40:30
Thanks for the thought, I think this is something akin to what DjangoSites.org does but I'm hoping for something a little more automated.
JudoWill  2010-01-01 02:46:36
Really, you just can't trust random users. Anything which can result in an unchecked fetch of ... *anything* can result in Bad Things Happening: href, src, iframe, javascript, even url()'s in css files etc.
Peter Rowell  2010-01-01 04:11:12
I've been searching around and I think you're right. I made a form which copies the files (escaped!!!) into an email. I just need to scan through for anything "fishy" and then approve or disapprove. I have enough knowledge to know when people are doing stuff they're not supposed to be doing.
JudoWill  2010-01-01 17:21:30

related questions

Django: Print url of view without hardcoding the url
Django Calendar Widget?
Can the HTTP version or headers affect the visual appearance of a web page?
Project design / FS layout for large django projects
Extending the User model with custom fields in Django
How to generate urls in django
Always including the user in the django template context
Screencasts for Django/Python?
Using Django time/date widgets in custom form
How do I add data to an existing model in Django?
Setup django with WSGI and apache
Altering database tables in Django
Django Templates and variable attributes.
Django ImageField core=False in newforms admin
How can I render a tree structure (recursive) using a django template?
Cleanest & Fastest server setup for Django
Unicode vs UTF-8 confusion in Python / Django?
Does Hostmonster support Django
Specifying a mySQL ENUM in a Django model
Represent Ordering in a Relational Database
updating an auto_now DateTimeField in a parent model w/ Django
Version track, automate DB schema changes with django
Learning Ruby on Rails any good for Grails?
What Hosting Service is best for Django applications?
Class views in Django